Ensure that you have:

  • A PingDirectory server that accepts LDAPS connections

    This server will host the admin console that is being configured for SSO.

  • A PingOne account

    For more information, see Getting Started with PingOne.

Tip:

You can use groups to organize user identities, as explained in Groups. You can also set access to applications, as explained in Application access control.

During this setup:

To set up SSO to the PingDirectory administrative console from PingOne:

  1. From the admin console home page, add PingOne and PingDirectory:
    • To add a new environment for PingOne SSO and PingDirectory:
      1. On the PingOne console home page, click Add Environment.
      2. Select Customer solution, and then click Next.
      3. Click Next.
      4. Enter an Environment Name and Description, then in the labeled lists, select an Environment Type, Region, and License.
      5. Click Finish.

        PingOne SSO, PingOne Risk, PingOne Verify, and PingOne MFA are automatically deployed.


        A screen capture of the PingOne admin console Create Environment page showing PingOne SSO will be automatically deployed.
      6. On the PingOne console home page, in the Your Environments list, select your new environment, and then click the + icon.
      7. Click Add next to PingDirectory.
        Note:

        Services that have been already added have a green check mark icon next to the service name instead of + Add.

      8. Click Finish.
    • To add PingOne SSO and PingDirectory to an existing environment:
      1. On the PingOne console home page, in the Your Environments list, select the environment, and then click the + icon.
      2. Click Add next to PingOne SSO and PingDirectory.
        Note:

        Services that have been already added have a green check mark icon next to the service name instead of + Add.

      3. Click Finish.
    1. Click Add Admin UI Link, and in the Enter Admin URL field, enter https://<hostname>:<port>/console/login, replacing the bracketed variables with the PingDirectory server's hostname and HTTP port.
      Tip:
      You can specify the LDAP server to bind to using the query parameters ldap-hostname and ldaps-port when the administrative console is configured for SSO. By binding to the LDAP server, you can use a single console instance to administer multiple PingDirectory servers. An LDAPS scheme is always assumed because an encrypted connection is always required for SSO. Using these parameters, you can specify the URL as follows.
      https://<hostname>:<port>/console?ldap-hostname=<my-ldap-host>&ldaps-port=<my-ldaps-port>
    2. Click Save.
  2. To configure the matching administrator accounts for PingOne and the PingDirectory server, go to the PingOne dashboard for the environment that will be used with the PingDirectory server and repeat the following steps for each PingOne user for whom you want to enable SSO:
    1. On the admin console home page, select the appropriate environment and click the PingOne icon.
    2. In PingOne, go to Identities.
    3. Select the administrative user you want to configure and click the Expand icon.
    4. Run the following dsconfig command and replace the bracketed fields with the values of the administrative user.
      ~/<pd_install>/dsconfig create-root-dn-user --user-name <Username> \
        --set first-name:<Given Name> \
        --set last-name:<Family Name>
  3. Register the admin console with PingOne.
    1. Go to Add an application - Web application and follow the instructions in the Add an OIDC application subsection.
    2. Enter the application properties, as shown in this table.
    Property Value

    Application Name

    PingDirectory Administrative Console

    Description

    Application for the PingDirectory Administrative Console

    Redirect URLs

    https://<hostname>:<port>/console/oidc/cb

    Note:
    Replace the bracketed values in Redirect URLs with your PingDirectory server's hostname and HTTP port. To find the port, run the status command from the bin directory.
    0.0.0.0:11443 : HTTPS    : Enabled  : HTTPS Connection Handler

    Attribute Mapping

    'Username' = 'sub'

    Note:

    No OIDC scopes are required for PingOne to grant access to the PingDirectory console.

  4. Select the newly-created PingDirectory Administrative Console application in the Applications list, and go to the Configuration tab.
  5. To edit the listed configuration properties, click the Pencil icon.

    Edit the configuration properties using the values in this table.

    Property Value

    Response Type

    Select the Code check box.

    Grant Type

    Select the Authorization Code check box.

    Token Endpoint Authentication Method

    Click Client Secret Basic.

    Note:

    For more information about updating the properties of your new application, see Edit an application - OIDC in the PingOne Administration Guide.

  6. Click Save.
  7. Click the toggle to enable user access to the application.
  8. On the Configuration tab, record the values for these application properties to use in step 10:
    • Issuer
    • Client ID
    • Client Secret
  9. Create a copy of the PingDirectory/config/sample-dsconfig-batch-files/enable-pingone-admin-console-sso.dsconfig file, leaving the source file as-is.
  10. Open the copy of the file and replace the bracketed values with the values from step 8.
    # Create an ID token validator suitable for verifying ID tokens generated
    # by the PingOne service. The "All Admin Users" identity mapper will be used
    # to match users that authenticate with PingOne to either root DN users or
    # topology admin users defined in the server configuration.
    dsconfig create-id-token-validator \
    --validator-name "PingOne ID Token Validator" \
    --type ping-one \
    --set enabled:true \
    --set "identity-mapper:All Admin Users" \
    --set evaluation-order-index:1 \
    --set issuer-url:[PING_ONE_APPLICATION_ISSUER_URL]
    
    [...]
    
    # Configure the Administrative Console with your application's client
    # credentials and issuer URI.
    dsconfig set-web-application-extension-prop \
    --extension-name Console \
    --set sso-enabled:true \
    --set oidc-client-id:[PING_ONE_APPLICATION_CLIENT_ID] \
    --set oidc-client-secret:[PING_ONE_APPLICATION_CLIENT_SECRET] \
    --set oidc-issuer-url:[PING_ONE_APPLICATION_ISSUER_URL]
  11. Run the file using the following command.
    dsconfig --batch-file \
        enable-pingone-admin-console-sso-copy.dsconfig \
        --no-prompt
  12. Select the link to the PingDirectory server from the PingOne solutions home page.

    A PingOne sign-on page opens.

  13. Sign on using the administrative user credentials.

    The PingDirectory server administrative console home page opens.